SP 800-53 Makes Supply Chain and Firmware a Priority - But Are You Listening?

NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is easily one of the most foundational documents in modern cybersecurity. While many security frameworks define high-level goals and requirements, SP 800-53 defines the specific controls to deliver on those goals. While many standards focus on “what” organizations should do, SP 800-53 defines the “how”.

Currently on its 5th revision, the document goes through regular updates to keep pace with changes in the cybersecurity landscape. Notably, the most recent updates have reflected a major focus on the importance of firmware as well as supply chain security. Supply Chain Risk Management was added as a new dedicated family of controls in Rev 5. Likewise, the word “firmware” appears  155 times in the most recent update compared to only 16 references in Rev 3. In total, firmware plays a role in 12 families of SP 800-53 controls and 40 specific underlying controls. A full analysis of these controls is available in Firmware, Supply Chain, and Frameworks: NIST SP 800-53.

However, without going into the deep dive, there are 3 key areas or themes where SP 800-53 really highlights the importance of firmware and supply chain security.

1 – Monitoring Firmware Integrity is a Big Deal

Firmware is a key topic throughout the System and Information Integrity (SI) family of controls, and several controls describe the capabilities of a firmware security platform to a T. In particular, control SI-7 (Software, Firmware, and Information Integrity) calls out the need to:

Employ centrally managed integrity verification tools…to detect unauthorized changes to firmware.

Employ automated tools that provide notification to organization-defined personnel upon discovering discrepancies during integrity verification.

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

Verify the integrity of the boot process of organization-defined system components.

These are just a few of the high points of a section that has quite a lot to say about firmware and devices. However this ability to centrally and automatically verify the integrity of firmware is a clear gap for most organizations today that a firmware security platform directly addresses.

2 – Organizations Need to Have Control Over Their Firmware Configurations and Vulnerabilities

SP 800-53 spells out a variety of controls tied to identifying and controlling the security posture of an organization’s assets, and once again, firmware plays a central role. The Configuration Management (CM) family of controls covers the need for automated firmware tools that can establish an inventory of system components and “maintain consistent baseline configurations for systems”. Likewise, RA-5 within the Risk Assessment controls calls out the need to monitor and scan for vulnerabilities and “include the capability to readily update” systems when problems are found. 

Unfortunately most IT and Security teams struggle to maintain an up-to-date inventory of their devices much less the many components within those devices. Additionally, low-level hardware and firmware configurations are easy to overlook, and small mistakes can leave a device defenseless. Likewise, traditional vulnerability management tools typically miss vulnerabilities in firmware due to a lack of access and specialized drivers to see weaknesses that reside below the operating system. A firmware security platform addresses all of these shortcomings while also helping teams to make corrective changes and apply updates when needed.

3 – Managing the Supply Chain and Technology Vendors Should Be an Active Process

SP 800-53 repeatedly calls out the need for organizations to be able to verify that the technologies that  they acquire are authentic and properly secured throughout the product lifecycle from development to delivery to ongoing maintenance.

A variety of firmware-relevant controls are spelled out in the System and Services Acquisition (SA) and Supply Chain Risk Management (SR) families of controls. This includes the need for proactive assessments of technology suppliers including “independent third-party analysis or organizational testing…of hardware, software, and firmware development processes” as well as training “organization-defined personnel to detect counterfeit system components (including hardware, software, and firmware).” 

Hardware equipment can include dozens of firmware components from any number of suppliers, sub-suppliers, and countries of origin. A firmware security platform makes it simple for security teams to scan devices and know exactly what is inside, find potential vulnerabilities, and verify that all acquired assets are indeed authentic.

These are just a few of the topics that 800-53 raises in regard to an organization’s firmware security practice. There are many more including the ability to detect malicious code, threat hunting, and incident response to name a few. If you would like to learn more, we encourage you to read the full paper here and if you would like to learn more about the Eclypsium firmware security platform, please contact us at [email protected].